Skip to main content

Beware calls from unknown numbers - this top messaging app has placed millions of iOS and Android users at risk

(Image credit: Shutterstock / Illus_man)

UPDATED: We have updated this article following a response from Signal, which told us new, updated versions of the app are available to download now.

Researchers have identified a security vulnerability in popular privacy-centric messaging app Signal.

Discovered by security firm Tenable, the bug could allow hackers to gain access to users’ coarse location data and map out patterns of movement - such as time-periods during which a user is likely to be at home, work, or their favorite local haunt.

To execute an attack, the hacker need only use Signal to call another user, whose location could be compromised whether or not the call is answered.

The Signal messaging app features end-to-end encryption for both calls and text messages, attracting millions of privacy-conscious users every day across Android and iOS. Even infamous whistleblower and champion of data privacy Edward Snowden claims to “use Signal every day.”

Signal vulnerability

However, according to an advisory published by Tenable, the app is not as watertight from a privacy perspective as its users might expect.

The newly discovered flaw exploits the WebRTC code handling DNS requests on a user's device. This can be used to leak information about a user’s DNS, which can in turn reveal coarse location data and allow the hacker to identify the victim’s location within a 400 mile radius. 

While this might appear inconsequential to most, using coarse location data in conjunction with DNS server pings from different networks (domestic Wi-Fi, public hotspots, 4G connections etc.) could be used by the hacker to make more precise location assumptions.

Signal was quick to issue a patch for the vulnerability via GitHub, as well as a patch to the WebRTC project in order to help other potentially affected apps.

The company added that an updated version of the app is also available now on the Apple App Store and Google Play Store, which users should download immediately.

Tenable noted that although average Signal users aren’t to be impacted, for certain Signal users, the issue could be, "quite serious". As the flaw affects WebRTC code used in many other popular apps, the company notes that users of other services could also be at risk.